| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, misha1966 misha1966 <mmisha1966(at)bk(dot)ru> |
| Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Re[2]: CVE-2022-2625 |
| Date: | 2022-09-16 05:51:16 |
| Message-ID: | 4a9318f774cec1052f76eb017eb87cf63c572c3c.camel@cybertec.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote:
> =?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= <mmisha1966(at)bk(dot)ru> writes:
> > Is there a patch for 9.6 ?
>
> No; that's out of support too.
>
> I'm a little bemused by your fixation on this particular CVE,
> though. As such things go, it's not a very big deal. It's only
> of interest if you are routinely installing new extensions, *and*
> those extensions' scripts contain insecure uses of CREATE OR
> REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
> instead. I would not have thought an institution that's so
> frozen that it can't update to an in-support PG version would be
> doing a lot of new extension installations.
A lot of times, requests like that come from a brainless kind of
institutionalized security: we have to install all software updates
that say "CVE". Never mind that username = password and
the application is running with a superuser.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2022-09-16 06:14:08 | Re: Re[2]: CVE-2022-2625 |
| Previous Message | Mladen Gogala | 2022-09-15 23:59:32 | Re: Is it possible to stop sessions killing eachother when they all authorize as the same role? |